Imperva SecureSphere
Security Target
Version 0.4
12 November 2015
Prepared for:
Imperva Inc.
3400 Bridge Parkway, Suite 200
Redwood Shores, CA 94065
United States
Prepared by:
Leidos Inc. (formerly Science Applications International Corporation)
Common Criteria Testing Laboratory
6841 Benjamin Franklin Drive, Columbia, Maryland 21046
Security Target 12 November 2015
7
1. SECURITY TARGET INTRODUCTION ........................................................................................................... 4
1.1 SECURITY TARGET, TOE AND CC IDENTIFICATION ........................................................................................ 4 1.2 CONFORMANCE CLAIMS ................................................................................................................................. 5 1.3 CONVENTIONS ................................................................................................................................................ 5
1.3.1 Terminology .......................................................................................................................................... 5
1.3.2 Abbreviations ......................................................................................................................................... 6
2. TOE DESCRIPTION .......................................................................................................................................... 8
2.1 PRODUCT DESCRIPTION .................................................................................................................................. 8 2.2 TOE OVERVIEW ........................................................................................................................................... 10 2.3 TOE ARCHITECTURE .................................................................................................................................... 11
2.3.1 Physical Boundaries ............................................................................................................................. 11
2.3.1.1 Software Requirements ........................................................................................................................ 13
2.3.2 Logical Boundaries .............................................................................................................................. 13
2.4 TOE DOCUMENTATION ................................................................................................................................ 14
3. SECURITY PROBLEM DEFINITION .......................................................................................................... 15
4. SECURITY OBJECTIVES .............................................................................................................................. 16
4.1 SECURITY OBJECTIVES FOR THE OPERATIONAL ENVIRONMENT ................................................................... 16
5. IT SECURITY REQUIREMENTS .................................................................................................................. 17
5.1 EXTENDED REQUIREMENTS .......................................................................................................................... 17 5.2 TOE SECURITY FUNCTIONAL REQUIREMENTS ............................................................................................. 18
5.2.1 Security audit (FAU) ........................................................................................................................... 18
5.2.2 Cryptographic support (FCS) ............................................................................................................... 20
5.2.3 User data protection (FDP) .................................................................................................................. 22
5.2.4 Identification and authentication (FIA)................................................................................................ 22
5.2.5 Security management (FMT) ............................................................................................................... 23
5.2.6 Protection of the TSF (FPT) ................................................................................................................ 23
5.2.7 TOE access (FTA) ............................................................................................................................... 24
5.2.8 Trusted path/channels (FTP) ................................................................................................................ 24
5.3 TOE SECURITY ASSURANCE REQUIREMENTS ............................................................................................... 25
6. TOE SUMMARY SPECIFICATION .............................................................................................................. 25
6.1 SECURITY AUDIT .......................................................................................................................................... 25 6.2 CRYPTOGRAPHIC SUPPORT ........................................................................................................................... 26 6.3 USER DATA PROTECTION .............................................................................................................................. 28 6.4 IDENTIFICATION AND AUTHENTICATION ....................................................................................................... 29 6.5 SECURITY MANAGEMENT ............................................................................................................................. 29 6.6 PROTECTION OF THE TSF ............................................................................................................................. 30 6.7 TOE ACCESS ................................................................................................................................................. 31 6.8 TRUSTED PATH/CHANNELS ........................................................................................................................... 31
7. PROTECTION PROFILE CLAIMS ............................................................................................................... 33
8. RATIONALE ..................................................................................................................................................... 34
8.1 TOE SUMMARY SPECIFICATION RATIONALE ................................................................................................ 34
LIST OF TABLES
Security Target 12 November 2015
7
Table 1 TOE Security Functional Components ...................................................................................................... 18 Table 2 Auditable Events .......................................................................................................................................... 20 Table 3 Assurance Components ............................................................................................................................... 25 Table 4 Cryptographic Functions ............................................................................................................................ 27 Table 5 Key/CSP Zeroization Summary ................................................................................................................. 28 Table 6 SFR Protection Profile Sources .................................................................................................................. 33 Table 7 Security Functions vs. Requirements Mapping ......................................................................................... 35
Security Target 12 November 2015
7
1. Security Target Introduction
This section identifies the Security Target (ST) and Target of Evaluation (TOE) identification, ST conventions, ST
conformance claims, and the ST organization. The TOE is Imperva SecureSphere v11.5 Patch 5 running on two or
more of the Imperva appliances listed below in Section 1.1, including one or more Management Servers and one or
more Gateways. The product is a set of network security appliances for advanced threat detection with Intrusion
Prevention System (IPS) capabilities. SecureSphere provides protection from attacks against database, file, Web,
and Web Services assets, both within the organization (insider attacks) and from without. Installed on the network as
a reverse Hypertext Transfer Protocol (HTTP) proxy, a transparent inline bridge or as an offline network monitor
(sniffer), a SecureSphere Gateway monitors application-level protocols for attacks, and reacts by blocking the
attacks and/or reporting them to a centralized management server. The focus of this evaluation is on the TOE
functionality supporting the claims in the Protection Profile for Network Devices (See section 1.2 for specific
version information). The security functionality specified in [NDPP] includes protection of communications
between TOE components and trusted IT entities, identification and authentication of administrators, auditing of
security-relevant events, ability to verify the source and integrity of updates to the TOE, and specifies FIPS-
validated cryptographic mechanisms.
The Security Target contains the following additional sections:
TSF TOE Security Function(s)
TOE Description (Section 0)
Security Problem Definition (Section 3)
Security Objectives (Section 4)
IT Security Requirements (Section 5)
TOE Summary Specification (Section 6)
Protection Profile Claims (Section 7)
Rationale (Section 8).
1.1 Security Target, TOE and CC Identification
ST Title – Imperva SecureSphere Security Target
ST Version – Version 0.4
ST Date – 12 November 2015
TOE Identification –Imperva SecureSphere v11.5 Patch 5 software running on two or more of the Imperva
appliances listed below, including one or more Management Servers and one or more Gateways:
Hardware appliance:
Gateway Appliances: X1010, X10K, X2010, X2510, X4510, X6510, X8510
MX Management Server Appliances: M110, M160
Virtual Machine Appliances:
V1000, V2500, V4500 (for Gateway)
VM150 (for MX)
And optionally a SecureSphere Operations Manager (SOM) Management Server appliance or Virtual Machine
Appliance:
Appliances: M160
Virtual Machine Appliance: VM150
Note: MX and SOM are two management applications using the same code base. MX, Gateway and SOM are all
installed using the same image, during installation user choses the application to install.
TOE Developer – Imperva, Inc.
Evaluation Sponsor – Imperva, Inc.
CC Identification – Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 4,
September 2012
1.2 Conformance Claims
This TOE is conformant to the following CC specifications:
This ST is conformant to the Protection Profile for Network Devices, Version 1.1, 8 June 2012 (NDPP) as
amended by Errata #3 dated 3 November 2014, and includes the additional optional SFRs:
FCS_HTTPS_EXT.1, FCS_SSH_EXT.1, FCS_TLS_EXT.1, and FPT_ITT.1.
Common Criteria for Information Technology Security Evaluation Part 2: Security functional components,
Version 3.1, Revision 4, September 2012.
Part 2 Extended
Security Target 12 November 2015
2
Common Criteria for Information Technology Security Evaluation Part 3: Security assurance components,
Version 3.1 Revision 4, September 2012.
Part 3 Conformant
1.3 Conventions
The following conventions have been applied in this document:
Security Functional Requirements – Part 2 of the CC defines the approved set of operations that may be
applied to functional requirements: iteration, assignment, selection, and refinement.
o Iteration: allows a component to be used more than once with varying operations. In the ST,
iteration is indicated by a number in parentheses placed at the end of the component. For example
FDP_ACC.1(1) and FDP_ACC.1(2) indicate that the ST includes two iterations of the
FDP_ACC.1 requirement, (1) and (2).
o Assignment: allows the specification of an identified parameter. Assignments are indicated using
bold and are surrounded by brackets (e.g., [assignment]). Note that an assignment within a
selection would be identified in italics and with embedded bold brackets (e.g., [[selected-
assignment]]).
o Selection: allows the specification of one or more elements from a list. Selections are indicated
using bold italics and are surrounded by brackets (e.g., [selection]).
o Refinement: allows the addition of details. Refinements are indicated using bold, for additions,
and strike-through, for deletions (e.g., “… all objects …” or “… some big things …”). Note that
‘cases’ that are not applicable in a given SFR have simply been removed without any explicit
identification.
The NDPP uses an additional convention – the ‘case’ – which defines parts of an SFR that apply only when
corresponding selections are made or some other identified conditions exist. Only the applicable cases are
identified in this ST and they are identified using bold text.
Other sections of the ST – Other sections of the ST use bolding to highlight text of special interest, such as
captions.
1.3.1 Terminology
This section identifies TOE-specific terminology.
Bridge A layer-two device that forwards frames received from one
network segment to another segment, based on their MAC address
Correlated Attack
Validation
An Imperva technology that addresses attacks by
basing ID decisions on multiple observations.
Dynamic Profiling An Imperva technology that creates and maintains a comprehen-
sive model (profile) of an application's legitimate protocol struc-
ture and dynamics through the examination of live traffic.
TAP A device that provides a non-intrusive fault-tolerant method of
viewing traffic on a network segment.
1.3.2 Abbreviations
This section identifies abbreviations and acronyms used in this ST.
Security Target 12 November 2015
3
Abbreviation Description
ADC Application Defense Center
AES Advanced Encryption Standard
AWS Amazon Web Services
CAV Correlated Attack Validation
CC Common Criteria
CLI Command Line Interface
GUI Graphical User Interface
HSM Hardware Security Module
HTTP Hypertext Transfer Protocol
ID Intrusion Detection
IDS Intrusion Detection System
IP Internet Protocol
IPS Intrusion Prevention System
MX Management Server
NIC Network Interface Card
NTP Network Time Protocol
OOB Out Of Band
PP Protection Profile
RFC Request for Comment
SFR Security Functional Requirement
SFP Security Function Policy
SIEM Security Information and Event Management
SOM SecureSphere Operations Manager
SPAN Switch Port Analyzer
SSH Secure Shell
SSL Secure Sockets Layer
ST Security Target
TCP Transmission Control Protocol
TLS Transport Layer Security
TOE Target of Evaluation
TSF TOE Security Function(s)
Security Target 12 November 2015
4
2. TOE Description
2.1 Product Description
The TOE is Imperva SecureSphere v11.5 Patch 5 running on two or more of the Imperva appliances listed in Section
1.1, including one or more Management Servers and one or more Gateways. The product is a set of network security
appliances for advanced threat detection with Intrusion Prevention System (IPS) capabilities. SecureSphere provides
protection from attacks against database, file, Web, and Web Services assets, both within the organization (insider
attacks) and from without. Installed on the network as a transparent inline bridge or as an offline network monitor
(sniffer), a SecureSphere Gateway monitors application-level protocols for attacks, and reacts by blocking the
attacks and/or reporting them to a centralized management server. Though the focus of this evaluation is on the
TOE functionality supporting the claims in the Protection Profile for Network Devices this section includes
descriptions of additional product security functionality for usage and context purposes.
The product is deployed as one or more Gateway appliances controlled by a MX appliance. In multi-tier
management configurations, one or more MX Management Servers may in turn be managed by a SecureSphere
Operations Manager (SOM) Management Server.
Administrators connect to the Management Server using a standard Web browser (outside of the Target of
Evaluation). They are required to authenticate their identity before being allowed any further action.
The different appliance models all run the same SecureSphere v11.5 Patch 5 software and provide all claimed
security functionality, but may differ in throughput and storage capacity. The SecureSphere v11.5 Patch 5 software
(including management and/or Gateway components) may alternatively be installed on a Virtual Machine (VM)
hosted by a VMware ESXi Hypervisor or on Amazon appliance in AWS environment. The Virtual Machine
emulates the SecureSphere appliance hardware. The VMware Hypervisor, and underlying hardware is considered to
be outside of the boundaries of the Target of Evaluation. Amazon deployments are not included in the TOE.
Imperva's Dynamic Profiling technology automatically builds a model of legitimate application behavior that is used
by the product to identify illegitimate traffic. In addition, attack signatures are preconfigured into the product and
can be periodically updated from an external Application Defense Center (ADC). The ADC also provides ADC
Insights – these are pre-packaged security policy rules and reports for commonly used applications. This
functionality is outside the scope of the TOE.
SecureSphere applies different layers of intrusion detection logic to analyzed network traffic, as depicted below in
Figure 1-1. Some of these layers are applicable to all network traffic; some are relevant only for Web traffic and/or
database access protocols. In addition, Imperva's Correlated Attack Validation (CAV) technology examines
sequences of events and identifies suspicious traffic based on a correlation of multiple analysis layers. Identified
malicious traffic is blocked.
SecureSphere supports the following two blocking methods:
TCP Reset (sniffing topology): SecureSphere can signal protected servers to disconnect malicious users
using TCP reset, a special TCP packet that signals TCP peers to close the TCP session. SecureSphere
spoofs a TCP reset packet and sends it to the protected server. It is assumed that a standards-conformant
server would immediately drop the attacker’s session on receipt of the TCP reset packet.
Note: TCP reset is considered inferior to inline blocking (see below) because it does not actively block the
malicious traffic from reaching the server; blocking depends on the server’s correct and timely session
termination behavior.
Inline Blocking: the gateway drops the packet, so that it doesn't reach its intended destination, and sends a
TCP reset to the server.
Security Target 12 November 2015
5
Figure 1-1 Intrusion Analysis and Reaction
The product’s application auditing capability is augmented by a discovery and assessment capability that scans
databases and file servers for known vulnerabilities and policy violations, identifies sensitive data, and enables
automatic aggregation and review of user rights across the organization. The product can also integrate information
from external sources such as web vulnerability scanners. This functionality is outside the scope of the TOE. The
TOE includes a security event auditing functionality which is included in the TOE.
MX Management Server can communicate with Imperva Update Server to download TOE updates. When MX
downloads a new update package, it is hashed using SHA-256. Authorized administrators can download the TOE
updates and manually verify the hash prior to installing the updates. The communication channel between the TOE
and the Imperva Update Server is protected using TLS.
TLS is also used for secure transmission of audit records to an external syslog server.
MX Management Servers interact with authorized administrators via SSH using OpenSSL; or using a web browser
where RSA BSAFE is used to implement HTTP over TLS (HTTPS) to secure the underlying communications. MX
Security Target 12 November 2015
6
also offers a local console interface for management of the TOE. Secure connections are also established between
the distributed TOE components: namely MX Management Servers (including SOMs) and Gateways.
The TOE is operated in FIPS mode. For cryptographic functions, the X1010, X10K, X2010, X2510, X4510, X6510,
X8510, V1000, V2500, and V4500 appliances include FIPS Object Module 2.0.1, which is a FIPS 140-2 validated
cryptomodule (#1747). The M110, M160, VM150 appliances include BSAFE Crypto-J 6.1.3, which incorporates
the FIPS 140-2 validated RSA JCE 6.1 (FIPS 140-2 cert #2057/2058).
The TOE provides several predefined user roles, but only the Administrator corresponding to the protection profile
role: Security Administrator can manage all of the TOE security functions. Other roles only have a subset of TOE
access capabilities.
2.2 TOE Overview
The Target of Evaluation (TOE) is a combination of Imperva appliances each running Imperva SecureSphere v11.5
Patch 5. More specifically, the TOE consists of
One1 MX Management Server appliance; and
One or more Gateway appliances; and optionally:
One SecureSphere Operations Manager (SOM) Management Server appliance.
Figure 1-2 - SecureSphere Gateway Appliance
SecureSphere provides protection from attacks against database, file, Web, and Web Services assets, both within
the organization (insider attacks) and from without. Installed on the network as a reverse Hypertext Transfer
Protocol (HTTP) proxy, a transparent inline bridge or as an offline network monitor (sniffer), a SecureSphere
Gateway monitors application-level protocols for attacks, and reacts by blocking the attacks and/or reporting them
to a centralized management server.
The TOE is deployed as one Gateway appliance controlled by a MX appliance that in turn is managed by a
SecureSphere Operations Manager (SOM) Management Server. The Management Server (MX) and SOM are two
different management applications using the same code base. SOM is a manager of MXs and runs M110 and M160
M-Appliances. SOM runs on an M160 M-Appliance.
Administrators connect to the Management/SOM Servers using a standard Web browser (outside of the Target of
Evaluation). The TOE authenticates Administrators using a local password based mechanism. Additionally, the TOE
can be configured to use the services of a trusted LDAP server in the operational environment.
As noted above, all TOE appliance models run the same software and provide all claimed security functionality.
The TOE generates logs for security relevant events including the events specified in NDPP. The TOE can be
configured to store the logs locally so they can be accessed by an administrator and can also be configured to send
the logs to a designated external log server. The communication channel with the external syslog server is protected
using TLS.
The TOE is operated in FIPS mode and includes cryptographic modules from both RSA BSAFE Crypto-J 6.1.3
FIPS 140-2 validated cryptographic module and OpenSSL 2.0.1 FIPS-certified with certificate number 1747.
1 Onebox mode (where both the SecureSphere management server and SecureSphere gateway are integrated in a
single machine) is not included in the evaluated configuration
Security Target 12 November 2015
7
SecureSphere Deployment Scenarios include both non-inline (sniffing) and inline gateways. An inline gateway is
more invasive but provides better blocking capabilities. A sniffing gateway is totally noninvasive but provides less
effective blocking capabilities.
In the inline scenario, the gateway acts as a bridging device between the external network and the protected network
segment. The gateway will block malicious traffic inline (i.e. drop packets). A single inline gateway protects one to
four network segments. For examples of deployment types, see the TOE guidance documentation.
X1010 and X2010 appliance models have six network interface ports. Two of the ports are used for management:
one to connect to the management server and the other is optional. The other four ports are part of two bridges that
are used for inline inspection of up to two different protected network segments.
X2510, X4510, X6510, X8510 and X10K appliance models have 2 fixed network interface ports and 2 optional
network cards, each card contains two to four network ports. The two fixed ports are used for management: one to
connect to the management server and the other is optional. The other optional two cards (each with two to four
ports) are part of one to four bridges that are used for inline inspection of up to four different protected network
segments.
The MX Management Server Appliances: M110, M160 each have an RJ45 Connector Serial Port, two USB ports,
and two management ports. The appliance models differ only in size of memory and hard drive. While the physical
form factor of each appliance differs, the underlying hardware shares a similar architecture.
A sniffing gateway is a passive sniffing device. It connects to corporate hubs and switches and taps the traffic sent to
and from protected servers, using a SPAN (Switch Port Analyzer) mirror port on the switch, or a dedicated TAP
device. Traffic is copied to it instead of passing directly through it. Transmission Control Protocol (TCP) resets are
transmitted over a “blocking” Network Interface Card (NIC). For an example of this type of deployment, see the
TOE guidance documentation.
2.3 TOE Architecture
The section describes the TOE physical and logical boundaries.
2.3.1 Physical Boundaries
As explained above, a given Imperva configuration includes one or more Gateway appliances controlled by a MX
(Management Server) appliance. In multi -tier management configurations, one or more MX Management Servers
may in turn be managed by a SecureSphere Operations Manager (SOM) Management Server. Each Imperva
appliance is a self-contained hardware appliance or VM designed to interact with its environment via network
connections.
Figure 1-4 below depicts the TOE in its operational environment. SecureSphere Gateways are installed in front of
the protected resources. They are connected to the Management Server using dedicated out of band (OOB)
management network interfaces, and the communication between the gateways and the Management Server is
protected using HTTPS. SOM Management Servers (not shown) are in the TOE and would be connected to the
Management Server and communications protected using HTTPS. The operational environment also requires
LDAP, TOE Update, syslog, and NTP servers.
Descriptions of the interconnecting lines in the figure are as follows:
The Blue Line to the monitor represents the TLS protected communications between the administrator
workstation and the MX Management Server.
The Red Lines represent the TLS protected communications between the TOE components and between
instances of a TOE.
The Orange Lines represent the Internet data filtered and processed by the TOE.
Security Target 12 November 2015
8
Figure 1-4 Physical Scope and Boundaries of the TOE
The virtual (VM) appliances are delivered as an installation disk (or ISO image). They require that the minimum
following hardware and software be installed on the host system:
VMware ESXi 5.x with virtual hardware version 9.0 and newer
Dual core or higher number of cores, Intel based server
IvyBridge supported Microprocessor
(http://en.wikipedia.org/wiki/List_of_Intel_Xeon_microprocessors#Ivy_Bridge-based_Xeons) or newer
generation of Intel based CPUs: 3rd Generation Intel Core processors, Intel Xeon processor E3-1200 v2
product family, Next Generation Intel Xeon processors, Intel Xeon processor E5 v2 and E7 v2 families or
newer Intel Xeon processors.
250 GB Hard Drive
Hypervisor-supported network interface card
If ESXi is in cluster, the EVC level must be set to L5 (IvyBridge) or higher
The main reason for using IvyBridge CPUs for Common Criteria is because of the need to use RDRAND
command, any IvyBridge CPU is compatible with this requirement and therefore all IvyBridge CPUs can
be used as ESX servers.
The VM appliances also require the following minimums:
VM150
V1000
V2500 V4500
CPU 2 2 2 4
Memory 4GB 4 GB 4 GB 8 GB
Disk Space 160GB 160 GB 160 GB 160 GB
All of the VM Machines in the CCTL test configuration were tested on an Ivy Bridge supported Intel
Core i5-3350P processor @ 3.10 GHz with VMware ESXi v5.1.0 with virtual hardware version 9.
Security Target 12 November 2015
9
All appliance hardware and software is included in the TOE, with the following exceptions.
Hardware Security Module (HSM) and SSL Accelerator Cards: SecureSphere Gateway appliances may be
purchased with an internal HSM or SSL accelerator PCI card that offloads key storage and cryptographic
operations used for network traffic deciphering from the appliance CPU. The cards are not included in the
evaluated configuration.
The TOE monitors network traffic between clients and servers in real-time, provides analyses of that traffic
for suspected intrusions, and provides a reaction capability. Database auditing allows you to record selected
user database queries for audit purposes. Web and file server queries and responses can also be selectively
recorded. In addition, monitored databases can be actively scanned to identify potential vulnerabilities. The
Imperva Agent software is installed on the client machines to support these features and may be used in the
evaluated configuration but the agents are considered to be outside the scope of the TOE and the
functionality was not evaluated or tested.
The VMware ESXi Hypervisor virtualization software and the hardware it is installed on.
2.3.1.1 Software Requirements
In order for an MX Management Client to connect via web-based, remote access, the following software is required
on the client machine(s):
Browser: Microsoft Internet Explorer; Chrome, Firefox; or Apple Safari
Adobe Flash Player
The TOE also requires that the administrator client machine have SSHv2 client software in order to connect to the
CLI remotely.
Use of the syslog, TOE Updates, and optional external authentication methods require LDAP, TOE Update and
syslog servers. The TOE also requires an NTP Server in the operational environment in order to synchronize
its clock with that of the external time server.
2.3.2 Logical Boundaries
This section summarizes the security functions provided by the TOE:
Security audit
Cryptographic support
User data protection
Identification and authentication
Security management
Protection of the TSF
TOE access
Trusted path/channels
2.3.2.1 Security audit
The TOE is designed to be able to generate logs for security relevant events including the events specified in NDPP.
The TOE can be configured to store the logs locally so they can be accessed by an administrator and can also be
configured to send the logs to a designated external log server.
2.3.2.2 Cryptographic support
The TOE is operated in FIPS mode and includes both NIST-validated RSA B-Safe and NIST-validated OpenSSL
cryptographic modules. The modules provide key management, random bit generation, encryption/decryption,
digital signature and cryptographic hashing and keyed-hash message authentication features in support of higher
level cryptographic protocols, including SSH, TLS and HTTP over TLS.
2.3.2.3 User data protection
The TOE is designed to ensure that it does not inadvertently reuse data found in network traffic.
Security Target 12 November 2015
10
2.3.2.4 Identification and authentication
The TOE requires users (i.e., administrators) to be successfully identified and authenticated before they can access
any security management functions available in the TOE. The TOE offers a network accessible GUI ( HTTP over
TLS) and console available locally and remotely via SSH for interactive administrator sessions.
The TOE supports the local (i.e., on device) definition of administrators with usernames and passwords.
Additionally, the TOE can be configured to use the services of a trusted LDAP server in the operational
environment.
2.3.2.5 Security management
The TOE provides remote access to a CLI using SSHv2 and a GUI to access the wide range of security management
functions. Security management commands are limited to administrators and are available only after they have
provided acceptable user identification and authentication data to the TOE.
The TOE also provides the ability to manage the TOE locally via direct serial console connection. The direct serial
console is used mainly for initial configuration and then the TOE is designed to be managed and monitored using the
Web GUI from a remote HTTPS/TLS client; or using the CLI from an SSHv2 client. The TOE provides the
Administrator role which corresponds to the NDPP Security Administrator.
2.3.2.6 Protection of the TSF
The TOE implements a number of features designed to protect itself to ensure the reliability and integrity of its
security features.
It protects particularly sensitive data such as stored passwords and cryptographic keys so that they are not accessible
even by an administrator. The TOE includes its own time clock to ensure that reliable time information is available
(e.g., for log accountability) but requires an NTP Server in the operational environment in order to synchronizes its
clock with that of the external time server.
The TOE uses HTTPS to protect communications between distributed TOE components (FPT_ITT.1).
The TOE includes functions to perform self-tests so that it might detect when it is failing. It also includes
mechanisms so that the TOE itself can be updated while ensuring that the updates will not introduce malicious or
other unexpected changes in the TOE.
2.3.2.7 TOE access
The TOE can be configured to display an informative banner that will appear prior to an administrator being
permitted to establish an interactive session. The TOE subsequently will enforce an administrator-defined inactivity
timeout value after which the inactive session will be terminated. Administrators can also terminate their own
sessions by logging out.
2.3.2.8 Trusted path/channels
The TOE protects interactive communication with remote administrators using SSH or HTTP over TLS. TLS
ensures both integrity and disclosure protection.
The TOE uses TLS to ensure that any authentication operations, and exported audit records, are sent only to the
configured Syslog or authentication servers so they are not subject to inappropriate disclosure or modification. TLS
is also used to ensure TOE updates are transmitted securely..
2.4 TOE Documentation
Imperva offers a series of documents that describe the installation process for the TOE, as well as guidance for
subsequent use and administration of the system security features.
Imperva SecureSphere Configuring Common Criteria Compliance User Guide, v11.5, November 2015
Imperva SecureSphere v11.5, Admin Guide Version 11.5, January 2015
Imperva SecureSphere Operations Manager (SOM) User Guide Version 11.5, August 2015
Security Target 12 November 2015
11
3. Security Problem Definition
This security target includes by reference the Security Problem Definition (composed of organizational policies,
threat statements, and assumptions) from the NDPP.
In general, the NDPP has presented a Security Problem Definition appropriate for network infrastructure devices,
and as such is applicable to the Imperva TOE.
Security Target 12 November 2015
12
4. Security Objectives
Like the Security Problem Definition, this security target includes by reference the Security Objectives from the
NDPP. The NDPP security objectives for the operational environment are reproduced below, since these objectives
characterize technical and procedural measures each consumer must implement in their operational environment.
In general, the NDPP has presented a Security Objectives statement appropriate for network infrastructure devices,
and as such is applicable to the Imperva TOE.
4.1 Security Objectives for the Operational Environment
OE.NO_GENERAL_PURPOSE There are no general-purpose computing capabilities (e.g.,
compilers or user applications) available on the TOE, other
than those services necessary for the operation, administration
and support of the TOE.
OE.PHYSICAL Physical security, commensurate with the value of the TOE
and the data it contains, is provided by the environment.
OE.TRUSTED_ADMIN TOE Administrators are trusted to follow and apply all
administrator guidance in a trusted manner.
Security Target 12 November 2015
13
5. IT Security Requirements
This section defines the Security Functional Requirements (SFRs) and Security Assurance Requirements (SARs)
that serve to represent the security functional claims for the Target of Evaluation (TOE) and to scope the evaluation
effort.
The SFRs have all been drawn from the Protection Profile for Network Devices, Version 1.1, 8 June 2012 (NDPP),
as amended by Errata #3.
As a result, refinements and operations already performed in that PP are not identified (e.g., highlighted) here, rather
the requirements have been copied from that PP and any residual operations have been completed herein. Of
particular note, the NDPP made a number of refinements and completed some of the SFR operations defined in the
CC and that PP should be consulted to identify those changes if necessary.
The SARs are the set of SARs specified in NDPP.
5.1 Extended Requirements
All of the extended requirements in this ST have been drawn from the NDPP. The NDPP defines the following
extended SFRs and since they are not redefined in this ST, the NDPP should be consulted for more information in
regard to those CC extensions.
FAU_STG_EXT.1: External Audit Trail Storage
FCS_CKM_EXT.4: Cryptographic Key Zeroization
FCS_HTTPS_EXT.1: Extended: HTTP Security (HTTPS)
FCS_RBG_EXT.1: Extended: Cryptographic Operation (Random Bit Generation)
FCS_SSH_EXT.1: Explicit: SSH
FCS_TLS_EXT.1: Extended: Transport Layer Security (TLS)
FIA_PMG_EXT.1: Password Management
FIA_UAU_EXT.2: Extended: Password-based Authentication Mechanism
FIA_UIA_EXT.1: User Identification and Authentication
FPT_APW_EXT.1: Extended: Protection of Administrator Passwords
FPT_SKP_EXT.1: Extended: Protection of TSF Data (for reading of all symmetric keys)
FPT_TST_EXT.1: TSF Testing
FPT_TUD_EXT.1: Extended: Trusted Update
FTA_SSL_EXT.1: TSF-initiated Session Locking
Security Target 12 November 2015
14
5.2 TOE Security Functional Requirements
The following table identifies the SFRs that are satisfied by the Fidelis XPS.
Requirement Class Requirement Component
FAU: Security audit
FAU_GEN.1: Audit Data Generation
FAU_GEN.2: User identity association
FAU_STG_EXT.1: External Audit Trail Storage
FCS: Cryptographic support
FCS_CKM.1: Cryptographic Key Generation (for asymmetric keys)
FCS_CKM_EXT.4: Cryptographic Key Zeroization
FCS_COP.1(1): Cryptographic Operation (for data encryption/decryption)
FCS_COP.1(2): Cryptographic Operation (for cryptographic signature)
FCS_COP.1(3): Cryptographic Operation (for cryptographic hashing)
FCS_COP.1(4): Cryptographic Operation (for keyed-hash message authentication)
FCS_HTTPS_EXT.1: Extended: HTTP Security (HTTPS)
FCS_RBG_EXT.1: Extended: Cryptographic Operation (Random Bit Generation)
FCS_SSH_EXT.1: Explicit: SSH
FCS_TLS_EXT.1: Extended: Transport Layer Security (TLS)
FDP: User data protection FDP_RIP.2: Full Residual Information Protection
FIA: Identification and
authentication
FIA_PMG_EXT.1: Password Management
FIA_UAU.7: Protected Authentication Feedback
FIA_UAU_EXT.2: Extended: Password-based Authentication Mechanism
FIA_UIA_EXT.1: User Identification and Authentication
FMT: Security management
FMT_MTD.1: Management of TSF Data (for general TSF data)
FMT_SMF.1: Specification of Management Functions
FMT_SMR.2: Restrictions on Security Roles
FPT: Protection of the TSF
FPT_APW_EXT.1: Extended: Protection of Administrator Passwords
FPT_ITT.1: Basic Internal TSF Data Transfer Protection
FPT_SKP_EXT.1: Extended: Protection of TSF Data (for reading of all
symmetric keys)
FPT_STM.1: Reliable Time Stamps
FPT_TST_EXT.1: TSF Testing
FPT_TUD_EXT.1: Extended: Trusted Update
FTA: TOE access
FTA_SSL.3: TSF-initiated Termination
FTA_SSL.4: User-initiated Termination
FTA_SSL_EXT.1: TSF-initiated Session Locking
FTA_TAB.1: Default TOE Access Banners
FTP: Trusted path/channels
FTP_ITC.1: Trusted Channel
FTP_TRP.1: Trusted Path
Table 1 TOE Security Functional Components
5.2.1 Security audit (FAU)
5.2.1.1 Audit Data Generation (FAU_GEN.1)
FAU_GEN.1.1 The TSF shall be able to generate an audit record of the following auditable events:
a) Start-up and shut-down of the audit functions;
b) All auditable events for the not specified level of audit; and
c) All administrative actions;
d) Specifically defined auditable events listed in Table 2.
FAU_GEN.1.2 The TSF shall record within each audit record at least the following information:
Security Target 12 November 2015
15
a) Date and time of the event, type of event, subject identity, and the outcome
(success or failure) of the event; and
b) For each audit event type, based on the auditable event definitions of the
functional components included in the PP/ST, information specified in column
three of Table 2.
Requirement Auditable Events Additional Audit Record Contents FAU_GEN.1 None.
FAU_GEN.2 None.
FAU_STG_EXT.1 None.
FCS_CKM.1 None.
FCS_CKM_EXT.4 None.
FCS_COP.1(1) None.
FCS_COP.1(2) None.
FCS_COP.1(3) None.
FCS_COP.1(4) None. FCS_HTTPS_EXT.1 Failure to establish a HTTPS session.
Establishment/Termination of a HTTPS session.
Reason for failure. Non-TOE endpoint of connection (IP address) for both successes and failures
FCS_RBG_EXT.1 None. FCS_SSH_EXT.1 Failure to establish an SSH session.
Establishment/Termination of an SSH session.
Reason for failure
Establishment/Termination of an SSH session.
Non-TOE endpoint of connection (IP address) for both successes and failures.
FCS_TLS_EXT.1 Failure to establish a TLS session. Establishment/Termination of a TLS session.
Reason for failure. Non-TOE endpoint of connection (IP address) for both successes and failures
FDP_RIP.2 None.
FIA_PMG_EXT.1 None.
FIA_UAU_EXT.2 All use of the authentication mechanism. Origin of the attempt (e.g., IP address).
FIA_UIA_EXT.1 All use of the identification and authentication mechanism.
Provided user identity, origin of the attempt (e.g., IP address).
FIA_UAU.7 None.
FMT_MTD.1 None.
FMT_SMF.1 None.
FMT_SMR.2 None.
FPT_APW_EXT.1 None.
FPT_ITT.1 None.
FPT_SKP_EXT.1 None. FPT_STM.1 Changes to the time. The old and new values for the time.
Origin of the attempt (e.g., IP address).
FPT_TUD_EXT.1 Initiation of update. No additional information.
FPT_TST_EXT.1 None.
FTA_SSL_EXT.1 Any attempts at unlocking of an interactive session.
No additional information.
FTA_SSL.3 The termination of a remote session by No additional information.
Security Target 12 November 2015
16
Requirement Auditable Events Additional Audit Record Contents the session locking mechanism.
FTA_SSL.4 The termination of an interactive session.
No additional information.
FTA_TAB.1 None. FTP_ITC.1 Initiation of the trusted channel.
Termination of the trusted channel. Failure of the trusted channel functions.
Identification of the initiator and target of failed trusted channels establishment attempt.
FTP_TRP.1 Initiation of the trusted channel. Termination of the trusted channel. Failures of the trusted path functions.
Identification of the claimed user identity.
Table 2 Auditable Events
5.2.1.2 User identity association (FAU_GEN.2)
FAU_GEN.2.1 For audit events resulting from actions of identified users, the TSF shall be able to
associate each auditable event with the identity of the user that caused the event.
5.2.1.3 External Audit Trail Storage (FAU_STG_EXT.1)
FAU_STG_EXT.1.1 The TSF shall be able to [transmit the generated audit data to an external IT entity]
using a trusted channel implementing the [TLS] protocol.
5.2.2 Cryptographic support (FCS)
5.2.2.1 Cryptographic Key Generation (for asymmetric keys) (FCS_CKM.1)
FCS_CKM.1.1 Refinement: The TSF shall generate asymmetric cryptographic keys used for key
establishment in accordance with [
o NIST Special Publication 800-56A, “Recommendation for Pair-Wise Key
Establishment Schemes Using Discrete Logarithm Cryptography” for
finite field-based key establishment schemes;
o NIST Special Publication 800-56B, 'Recommendation for Pair-Wise Key
Establishment Schemes Using Integer Factorization Cryptography' for
RSA-based key establishment schemes]
and specified cryptographic key sizes equivalent to, or greater than, a symmetric key
strength of 112 bits.
5.2.2.2 Cryptographic Key Zeroization (FCS_CKM_EXT.4)
FCS_CKM_EXT.4.1 The TSF shall zeroize all plaintext secret and private cryptographic keys and CSPs when
no longer required.
5.2.2.3 Cryptographic Operation (for data encryption/decryption) (FCS_COP.1(1))
FCS_COP.1.1(1) Refinement: The TSF shall perform encryption and decryption in accordance with a
specified cryptographic algorithm [AES operating in [CBC]] and cryptographic key sizes
128-bits and 256-bits that meets the following:
FIPS PUB 197, 'Advanced Encryption Standard (AES)'
[NIST SP 800-38A].
5.2.2.4 Cryptographic Operation (for cryptographic signature) (FCS_COP.1(2))
FCS_COP.1.1(2) Refinement: The TSF shall perform cryptographic signature services in accordance with
a [
Security Target 12 November 2015
17
(1) RSA Digital Signature Algorithm (rDSA) with a key size (modulus) of 2048
bits or greater, or]
that meets the following:
Case: RSA Digital Signature Algorithm
FIPS PUB 186-2 or FIPS PUB 186-3, “Digital Signature Standard”
5.2.2.5 Cryptographic Operation (for cryptographic hashing) (FCS_COP.1(3))
FCS_COP.1.1(3) Refinement: The TSF shall perform cryptographic hashing services in accordance with a
specified cryptographic algorithm [SHA-1, SHA-256, SHA-512] and message digest
sizes [160, 256, 512] bits that meet the following: FIPS Pub 180-3, 'Secure Hash
Standard.'
5.2.2.6 Cryptographic Operation (for keyed-hash message authentication) (FCS_COP.1(4))
FCS_COP.1.1(4) Refinement: The TSF shall perform keyed-hash message authentication in accordance
with a specified cryptographic algorithm HMAC-[SHA-1], key size [160 bits], and
message digest sizes [160] bits that meet the following: FIPS Pub 198-1, 'The Keyed-
Hash Message Authentication Code', and FIPS Pub 180-3, 'Secure Hash Standard.'
5.2.2.7 Extended: HTTP Security (HTTPS) (FCS_HTTPS_EXT.1)
FCS_HTTPS_EXT.1.1 The TSF shall implement the HTTPS protocol that complies with RFC 2818.
FCS_HTTPS_EXT.1.2 The TSF shall implement HTTPS using TLS as specified in FCS_TLS_EXT.1.
5.2.2.8 Extended: Cryptographic Operation (Random Bit Generation) (FCS_RBG_EXT.1)
FCS_RBG_EXT.1.1 The TSF shall perform all random bit generation (RBG) services in accordance with
[NIST Special Publication 800-90 using [CTR_DRBG (AES)]] seeded by an entropy
source that accumulated entropy from [a software-based noise source].
FCS_RBG_EXT.1.2 The deterministic RBG shall be seeded with a minimum of [256 bits] of entropy at least
equal to the greatest security strength of the keys and hashes that it will generate.
5.2.2.9 Explicit: SSH (FCS_SSH_EXT.1)
FCS_SSH_EXT.1.1 The TSF shall implement the SSH protocol that complies with RFCs 4251, 4252, 4253,
4254, and [5656].
FCS_SSH_EXT.1.2 The TSF shall ensure that the SSH protocol implementation supports the following
authentication methods as described in RFC 4252: public key-based, [password-based]2.
FCS_SSH_EXT.1.3 The TSF shall ensure that, as described in RFC 4253, packets greater than [256K] bytes
in an SSH transport connection are dropped.
FCS_SSH_EXT.1.4 The TSF shall ensure that the SSH transport implementation uses the following
encryption algorithms: AES-CBC-128, AES-CBC-256, [no other algorithms].
FCS_SSH_EXT.1.5 The TSF shall ensure that the SSH transport implementation uses [SSH_RSA] and [no
other public key algorithms] as its public key algorithm(s).
2 Marked as a selection per NIAP Technical Decision TD0032 (https://www.niap-
ccevs.org/Documents_and_Guidance/view_td.cfm?td_id=34)
Security Target 12 November 2015
18
FCS_SSH_EXT.1.6 The TSF shall ensure that data integrity algorithms used in SSH transport connection is
[hmac-sha1].
FCS_SSH_EXT.1.7 The TSF shall ensure that diffie-hellman-group14-sha1 and [no other methods] are the
only allowed key exchange methods used for the SSH protocol.
5.2.2.10 Extended: Transport Layer Security (TLS) (FCS_TLS_EXT.1)
FCS_TLS_EXT.1.1
The TSF shall implement one or more of the following protocols [TLS 1.0 (RFC 2246), TLS 1.1
(RFC 4346), TLS 1.2 (RFC 5246) ] supporting the following ciphersuites:
Mandatory Ciphersuites:
TLS_RSA_WITH_AES_128_CBC_SHA,
Optional Ciphersuites:
[None
].
5.2.3 User data protection (FDP)
5.2.3.1 Full Residual Information Protection (FDP_RIP.2)
FDP_RIP.2.1 The TSF shall ensure that any previous information content of a resource is made
unavailable upon the [allocation of the resource to] all objects.
5.2.4 Identification and authentication (FIA)
5.2.4.1 Password Management (FIA_PMG_EXT.1)
FIA_PMG_EXT.1.1 The TSF shall provide the following password management capabilities for
administrative passwords:
1. Passwords shall be able to be composed of any combination of upper and lower
case letters, numbers, and the following special characters: [“!”, “@”, “#”, “$”,
“%”, “^”, “&”, “*”, “(”, “)”, [< > ? . _ + = - [ ] { } \ | : ; , / ` ~]];
2. Minimum password length shall settable by the Security Administrator, and
support passwords of 15 characters or greater;
5.2.4.2 Protected Authentication Feedback (FIA_UAU.7)
FIA_UAU.7.1 The TSF shall provide only obscured feedback to the administrative user while the
authentication is in progress at the local console.
5.2.4.3 Extended: Password-based Authentication Mechanism (FIA_UAU_EXT.2)
FIA_UAU_EXT.2.1 The TSF shall provide a local password-based authentication mechanism, [[and access to
external LDAP Server]] to perform administrative user authentication.
5.2.4.4 User Identification and Authentication (FIA_UIA_EXT.1)
FIA_UIA_EXT.1.1 The TSF shall allow responses to the following actions prior to requiring the non-TOE
entity to initiate the identification and authentication process:
Display the warning banner in accordance with FTA_TAB.1;
[[Enter User Credentials in the login GUI]].
FIA_UIA_EXT.1.2 The TSF shall require each administrative user to be successfully identified and
authenticated before allowing any other TSF-mediated actions on behalf of that
administrative user.
Security Target 12 November 2015
19
5.2.5 Security management (FMT)
5.2.5.1 Management of TSF Data (for general TSF data) (FMT_MTD.1)
FMT_MTD.1.1 The TSF shall restrict the ability to manage the TSF data to the Security Administrators.
5.2.5.2 Specification of Management Functions (FMT_SMF.1)
FMT_SMF.1.1 The TSF shall be capable of performing the following management functions:
Ability to administer the TOE locally and remotely;
Ability to update the TOE, and to verify the updates using the [published hash]
capability prior to installing those updates;
[Ability to configure the list of TOE-provided services available before an
entity is identified and authenticated, as specified in FIA_UIA_EXT.1;
Ability to configure the cryptographic functionality].
5.2.5.3 Restrictions on Security Roles (FMT_SMR.2)
FMT_SMR.2.1 The TSF shall maintain the roles:
Authorized Administrator.
FMT_SMR.2.2 The TSF shall be able to associate users with roles.
FMT_SMR.2.3 The TSF shall ensure that the conditions
Authorized Administrator role shall be able to administer the TOE locally;
Authorized Administrator role shall be able to administer the TOE remotely;
are satisfied.
5.2.6 Protection of the TSF (FPT)
5.2.6.1 Extended: Protection of Administrator Passwords (FPT_APW_EXT.1)
FPT_APW_EXT.1.1 The TSF shall store passwords in non-plaintext form.
FPT_APW_EXT.1.2 The TSF shall prevent the reading of plaintext passwords.
5.2.6.2 Extended: Protection of TSF Data (for reading of all symmetric keys) (FPT_SKP_EXT.1)
FPT_SKP_EXT.1.1 The TSF shall prevent reading of all pre-shared keys, symmetric key, and private keys.
5.2.6.3 Basic Internal TSF Data Transfer Protection
FPT_ITT.1.1 Refinement: The TSF shall protect TSF data from disclosure and detect its modification
when it is transmitted between separate parts of the TOE through the use of [TLS,
TLS/HTTPS].
5.2.6.4 Reliable Time Stamps (FPT_STM.1)
FPT_STM.1.1 The TSF shall be able to provide reliable time stamps for its own use.
5.2.6.5 TSF Testing (FPT_TST_EXT.1)
FPT_TST_EXT.1.1 The TSF shall run a suite of self tests during initial start-up (on power on) to demonstrate
the correct operation of the TSF.
5.2.6.6 Extended: Trusted Update (FPT_TUD_EXT.1)
FPT_TUD_EXT.1.1 The TSF shall provide security administrators the ability to query the current version of
the TOE firmware/software.
FPT_TUD_EXT.1.2 The TSF shall provide security administrators the ability to initiate updates to TOE
firmware/software.
FPT_TUD_EXT.1.3 The TSF shall provide a means to verify firmware/software updates to the TOE using a
[published hash] prior to installing those updates.
Security Target 12 November 2015
20
5.2.7 TOE access (FTA)
5.2.7.1 TSF-initiated Termination (FTA_SSL.3)
FTA_SSL.3.1 Refinement: The TSF shall terminate a remote interactive session after a Security
Administrator-configurable time interval of session inactivity.
5.2.7.2 User-initiated Termination (FTA_SSL.4)
FTA_SSL.4.1 The TSF shall allow Administrator-initiated termination of the Administrator’s own
interactive session.
5.2.7.3 TSF-initiated Session Locking (FTA_SSL_EXT.1)
FTA_SSL_EXT.1.1 The TSF shall, for local interactive sessions, [terminate the session] after a Security
Administrator-specified time period of inactivity.
5.2.7.4 Default TOE Access Banners (FTA_TAB.1)
FTA_TAB.1.1 Refinement: Before establishing an administrative user session the TSF shall display a
Security Administrator-specified advisory notice and consent warning message regarding
use of the TOE.
5.2.8 Trusted path/channels (FTP)
5.2.8.1 Trusted Channel (FTP_ITC.1)
FTP_ITC.1.1 Refinement: The TSF shall use [TLS] to provide a trusted communication channel
between itself and authorized IT entities supporting the following capabilities: audit
server, [authentication server, [TOE Update Server]] that is logically distinct from other
communication channels and provides assured identification of its end points and
protection of the channel data from disclosure and detection of modification of the
channel data.
FTP_ITC.1.2 The TSF shall permit the TSF, or the authorized IT entities to initiate communication via
the trusted channel.
FTP_ITC.1.3 The TSF shall initiate communication via the trusted channel for [transmitting audit
records to an audit server, obtaining TOE updates, and external authentication
functions].
5.2.8.2 Trusted Path (FTP_TRP.1)
FTP_TRP.1.1 Refinement: The TSF shall use [TLS/HTTPS, SSH] to provide a communication path
between itself and remote administrators that is logically distinct from other
communication paths and provides assured identification of its end points and protection
of the communicated data from disclosure and detection of modification of the
communicated data.
FTP_TRP.1.2 Refinement: The TSF shall permit remote administrators to initiate communication via
the trusted path.
FTP_TRP.1.3 The TSF shall require the use of the trusted path for initial administrator authentication
and all remote administrative actions.
Security Target 12 November 2015
21
5.3 TOE Security Assurance Requirements
The security assurance requirements for the TOE are included by reference from the NDPP.
Requirement Class Requirement Component
ADV: Development ADV_FSP.1 Basic functional specification
AGD: Guidance documents
AGD_OPE.1: Operational user guidance
AGD_PRE.1: Preparative procedures
ALC: Life-cycle support
ALC_CMC.1 Labelling of the TOE
ALC_CMS.1 TOE CM coverage
ATE: Tests ATE_IND.1 Independent testing - conformance
AVA: Vulnerability assessment AVA_VAN.1 Vulnerability survey
Table 3 Assurance Components
Consequently, the assurance activities specified in NDPP apply to the TOE evaluation.
6. TOE Summary Specification
This chapter describes the security functions:
Security audit
Cryptographic support
User data protection
Identification and authentication
Security management
Protection of the TSF
TOE access
Trusted path/channels
6.1 Security audit
The TOE is designed to be able to generate log records for security relevant events as they occur. The events that
can cause an audit record to be logged include starting and stopping the audit function, any use of an administrator
command via the Web GUI or console, as well as all of the events identified in Table 2 (which corresponds to the
audit events specified in NDPP). Note that the only protocol (i.e., HTTPS, TLS, SSH) failures auditable by the TOE
are authentication failures for user-level connections.
The logged audit records identify the date and time, the nature or type of the triggering event, an indication of
whether the event succeeded or failed, and the identity of the user responsible for the event. The logged audit
records also include event-specific content that includes at least all of the content required in Table 2.
The TOE includes an internal log implementation that can be used to store and review audit records locally. The
local audit logs are stored on the MX Management Server database. The SOM administrator can pre-select System
Event types that will be automatically forwarded from the MX server to the SOM for storage and audit review by
the SOM administrator. System Events are also generated by the SOM (e.g. for SOM administrator logins and SOM
user account management) and are stored locally on the SOM server. The TOE does not provide any interface for
modifying audit records. Audit records can only be purged by an authorized Administrator via the SecureSphere
GUI management interface.
By default, the Management Server retains up to 100,000 System Event records, and purges the oldest records when
this configurable threshold is exceeded. An authorized Administrator can modify this threshold, or specify a time
period for which System Event records must be retained.
Security Target 12 November 2015
22
The TOE can be configured to send generated audit records to an external Syslog server using TLS. When
configured to send audit records to a syslog server, audit records are also written to the external syslog as they are
written to the local audit log.
The Security audit function is designed to satisfy the following security functional requirements:
FAU_GEN.1: The TOE can generate audit records for events including starting and stopping the audit
function, administrator commands, and all other events identified in Table 2. Furthermore, each audit
record identifies the date/time, event type, outcome of the event, responsible subject/user, as well as the
additional event-specific content indicated in Table 2.
FAU_GEN.2: The TOE associates each auditable event with the identity of the user that caused the event.
FAU_STG_EXT.1: The TOE can be configured to export audit records to an external Syslog server and
can be configured to use TLS for communication with the Syslog server.
6.2 Cryptographic support
The TOE provides a FIPS mode of operation, which must be enabled in the evaluated configuration. The TOE
includes NIST-validated cryptographic algorithms providing supporting cryptographic functions. The TOE uses the
RSA Crypto-J version 6.1.3 (FIPS 140-2 cert #2057/2058) and FIPS 140-2 OpenSSL version FIPS 2.0.1 (cert#
1747) cryptomodules for all of the cryptographic functionality. The following functions have been certified in
accordance with the identified standards.
Functions Standards Certificates
(crypto-J / openSSL)
Asymmetric key generation
Domain parameter generation (key
size 2048 bits)
NIST Special Publication 800-56A
NIST Special Publication 800-56B
RSA #1154/
RSA (Certs. #960, #1086,
#1145, #1205, #1237,
#1273, #1477, #1535 and
#1581);
Encryption/Decryption
AES CBC (128 and 256 bits) FIPS PUB 197
NIST SP 800-38A
AES #2249
AES (Certs. #1884,
#2116, #2234, #2342,
#2394, #2484, #2824,
#2929 and #3090)
Cryptographic signature services
RSA Digital Signature Algorithm
(rDSA) (modulus 2048)
FIPS PUB 186-2
FIPS PUB 186-3
RSA #1154
RSA (Certs. #960, #1086,
#1145, #1205, #1237,
#1273, #1477, #1535 and
#1581);
Cryptographic hashing
SHA-1 (digest sizes 160 bits)
SHA-256 (digest sizes 256 bits)
SHA-512 (digest sizes 512 bits)
FIPS Pub 180-3 SHS #1938
SHS (Certs. #1655,
#1840, #1923, #2019,
#2056, #2102, #2368,
#2465 and #2553)
Keyed-hash message authentication
HMAC-SHA-1 (key size 160 bits
and digest size 160 bits)
FIPS Pub 198-1
FIPS Pub 180-3
HMAC #1378
HMAC (Certs. #1126,
#1288, #1363, #1451,
#1485, #1526, #1768,
#1856 and #1937)
Security Target 12 November 2015
23
Random bit generation
CTR-DRBG(AES) with one
independent software-based noise
source of 256 bits of non-
determinism
NIST Special Publication 800-90A
DRBG # 273
DRBG (Certs. #157,
#229, #264, #292, #316,
#342, #485, #540 and
#607)
Table 4 Cryptographic Functions
The TOE implements a random number generator for RSA key establishment schemes; and for finite-based key
establishment (conformant to NIST SP 800-56A and to NIST SP 800-56B).
The Gateway appliances (including virtual appliances) implement a software-based deterministic random bit
generator that complies with NIST SP 800-90, using CTR_DRBG (AES) seeded with 256 bits of entropy. On the
X10K, X2510, and X8510 appliances, the entropy source is the RDRAND instruction provided by Intel Ivy Bridge-
based processors, which is assumed to provide 0.5 bits of entropy per bit sample. The same entropy source is also
used on virtual gateway appliances, which require an Ivy Bridge-based processor on the hosting hardware. On
X1010, X2010, X4510, and X6510 appliances, the entropy source is an Infineon SLB96xx Trusted Platform Module
(TPM) processor, which is assumed to provide 1 bit of entropy per bit sample (i.e., full entropy).
The Management Server appliances (including the virtual Management Server appliance) implement a software-
based deterministic random bit generator that complies with NIST SP 800-90, using HMAC_DRBG seeded with
256 bits of entropy. On M110 and M160 appliances, the entropy source is an Infineon SLB96xx Trusted Platform
Module (TPM) processor, which is assumed to provide 1 bit of entropy per bit sample (i.e., full entropy).
The TOE is designed to zeroize secret and private keys when they are no longer required by the TOE. The TOE uses
the RSA Crypto-J and FIPS 140-2 OpenSSL cryptomodule functions for the zeroization of all ephemeral sensitive
data. The TOE itself zeroizes the following secret and private keys when they are no longer required by the TOE.
# Key/
CSP Name Generation/ Algorithm
Description Storage Zeroization
CSP1 RSA private keys
RSA(2048 bits)
Identity certificates for the security appliance itself and also used in TLS negotiations.
Key Store on Disk RAM (plain text)
Overwriting file with a string of the original length of the sensitive data into the same location in the file; then delete.
CSP2 CA Certificates
RSA(2048 bits)
Trusted CAs Trust Store on Disk RAM (plain text)
Overwriting file with a string of the original length of the sensitive data into the same location in the file; then delete.
CSP3
Domain and DB Credentials, Proxy Credentials
Secret (plain text)
Usernames and passwords for protected machines and their databases
Database (RSA-2048) RAM (plain text) Gateway Disk (RSA-2048) Transit (TLS with secrets generated by RSA-2048 private keys)
Overwrite with a fixed string of zeroes; then delete.
CSP5 SIEM Credentials
Secret Used for sending syslog messages
See CSP3 See CSP3
CSP6 External Machines Certificates
Various, can be shared secrets of any kind
Public Keys of machines for integration authentication
See CSP3 See CSP3
CSP7 Machine Secret admin login Linux Hash saved on Overwriting file
Security Target 12 November 2015
24
# Key/
CSP Name Generation/ Algorithm
Description Storage Zeroization
credentials disk with a string of the original length of the sensitive data into the same location in the file; then delete.
CSP8 Database Credentials
RSA(2048) SecureSphere Database Access
Disk (RSA-2048) RAM (plain text)
Overwriting file with a string of the
original length of the sensitive data into the same location in the file; then delete.
Table 5 Key/CSP Zeroization Summary
Administrator passwords for locally defined users are stored as SHA-512 hash in a database located on the MX
Management Server.
When the TOE downloads a new software release package these are hashed using SHA-256. Administrators verify
the hash manually before installing the downloaded updates.
The TOE uses RSA B-SAFE and OpenSSL FIPS Object Module algorithms: AES (CBC) 128, 256 bit ciphers, in
conjunction with HMAC-SHA-1 and RSA signature verification with 2048 bit key sizes. The implementations are
in accordance with FIPS PUB 186-3, “Digital Signature Standard”, FIPS Pub 180-3, 'Secure Hash Standard', and
FIPS Pub 198-1, 'The Keyed-Hash Message Authentication Code'.
The TOE supports SSHv2 with AES (CBC) 128 or 256 bit ciphers, in conjunction with HMAC-SHA-1. The TOEs
SSH implementation complies with RFCs 4251, 4252, 4253, and 4254, 5656; supports RSA public key algorithm;
and supports diffie-hellman-group14-sha1 key exchange method. Both public-key and password based
authentication can be configured. The TOE manages a packet counter for each SSH session such that packets larger
than the 256K bytes packet limit are dropped.
The TOE’s HTTPS protocol complies with RFC 2818 and is implemented using TLS 1.0 (RFC 2246), TLS 1.1
(RFC 4346), TLS 1.2 (RFC 5246) ] supporting the following ciphersuite: TLS_RSA_WITH_AES_128_CBC_SHA .
The Cryptographic support function is designed to satisfy the following security functional requirements:
FCS_CKM.1: See table above.
FCS_CKM_EXT.4: See table above.
FCS_COP.1(1): See table above.
FCS_COP.1(2): See table above.
FCS_COP.1(3): See table above.
FCS_COP.1(4): See table above.
FCS_HTTPS_EXT.1: The TOE supports HTTPS web-based secure administrator sessions.
FCS_RBG_EXT.1: See table above.
FCS_SSH_EXT.1: The TOE supports SSH-based secure administrator sessions.
FCS_TLS_EXT.1: The TOE supports HTTP over TLS web-based secure administrator sessions.
6.3 User data protection
The TOE is designed to ensure that it does not inadvertently reuse data found in network traffic. Previous
information is made unavailable to next user during construction of the new packet. The TOE does not include any
Security Target 12 November 2015
25
padding or gaps within packets, and therefore all information that the next user receives is the information intended
for it. The next user will only receive the information written in the packet for the new user.
The User data protection function is designed to satisfy the following security functional requirements:
FDP_RIP.2: The TOE always overwrites resources when allocated for use in objects.
6.4 Identification and authentication
The TOE is designed to require users to be identified and authenticated before they can access any of the TOE
functions. Administrators manage the TOE remotely using SSHv2 to access the CLI; or using a web-based GUI
accessed via HTTPS. Administrators can also connect to the TOE locally using a directly connected console.
However the TOE is not intended to be managed locally. For each session, the user is required to log in prior to
successfully establishing a session through which TOE functions can be exercised. After a user enters their
credentials but prior to a session being established, the TOE displays an advisory warning banner.
In order to log in, the user must provide an identity and also authentication data that matches the provided identity.
Local and remote access to the CLI and GUI all support password authentication. SSHv2 also supports public key
authentication methods. Users can be defined locally within the TOE with a user identity, password, and user role.
Alternately, users can be defined within the TOE but have their authentication data (password) defined in an
external LDAP server configured to be used by the TOE. Locally defined users are authenticated directly by the
TOE, while remotely defined users are authenticated by the external server and the result is enforced by the TOE. In
either case, any resulting session is dependent upon successful authentication and established sessions are associated
with the role(s) (see Section 6.5) assigned to the user.
When logging in, the TOE will not echo passwords so that passwords are not inadvertently displayed to the user and
any other users that might be able to view the login display.
Note also that should a user have their session terminated (e.g., due to inactivity), they are required to successfully
authenticate, by reentering their identity and authentication data, in order to establish a new session.
Password requirements can be configured for local user accounts and are enforced for both SSH and TLS
connections. Passwords can be composed of upper and lower case letters, numbers and special characters:
“!@#$%^&*()< > ? . _ + = - [ ] { } \ | : ; , / ` ~”.
Also, new passwords have to satisfy a configurable minimum password length. The administrator can specify a
minimum password length of 15 characters with an upper bound of 255 characters.
The Identification and authentication function is designed to satisfy the following security functional requirements:
FIA_PMG_EXT.1: The TOE implements a rich set of password composition constraints as described
above.
FIA_UAU.7: The TOE does not echo passwords as they are entered.
FIA_UAU_EXT.2: The TOE provides a local password-based authentication mechanism and can be
configured to use an external LDAP authentication server.
FIA_UIA_EXT.1: The TOE only displays the warning banner prior to a user being identified and
authenticated. Note that a user enters their credentials, the banner is displayed, and then the session is
established.
6.5 Security management
The TOE provides a GUI to access the wide range of security management functions. Security management
commands are limited to administrators and are available only after they have provided acceptable user
identification and authentication data to the TOE. The TOE controls user access to the TOE and resources based on
user role. Users are given permission to access a set of commands and resources based on their user role.
Security Target 12 November 2015
26
The TOE also provides the ability to manage the TOE locally via direct serial console connection. The direct serial
console is used mainly for initial configuration and then the TOE is designed to be managed and monitored using the
Web GUI from a remote HTTPS/TLS client or via SSHv2 remote connection to the CLI. The TOE provides the
Administrator role which corresponds to the NDPP Security Administrator.
The TOE includes pre-defined user roles, of which only the user role: Administrator is considered a ‘Security
Administrator’ as defined in the NDPP. Users with the Administrator role are capable of managing the security
functions of the TOE. The TOE includes other pre-defined roles that represent logical subsets of the Administrator
role. Only users with the Administrator role can manage all aspects of the TOE.
The TOE includes the following security management functions: functions to configure the TOE banners; to
enable/disable FIPS mode; configure ciphersuites; to configure TLS secure connections for external user LDAP
authentication; to configure user session timeout, and to manage and verify updates of the TOE software. The
security management functions required by the PP are accessible via the GUI, except configuration of the advisory
banner and session timeout, which are done via direct serial connection during initial configuration or remotely via
SSHv2.
The Security management function is designed to satisfy the following security functional requirements:
FMT_MTD.1: The TOE restricts the access to manage TSF data that can affect the security functions of the
TOE to Administrators.
FMT_SMF.1: The TOE includes the functions necessary to configure TOE banners, to enable/disable FIPS
mode, to configure TLS secure connections for external user LDAP authentication, user session timeout,
and to manage and verify updates of the TOE software and firmware.
FMT_SMR.2: The TOE includes predefined roles of which only the Administrator role has access to all
security management functions of the TOE, which corresponds to the required ‘Security Administrator’.
6.6 Protection of the TSF
While the administrative interface is function rich, the TOE is designed specifically to prevent access to locally-
stored cryptographically protected passwords and does not disclose any keys stored in the TOE. The TOE protects
user passwords as follows. User and administrator passwords are hashed with SHA-512. Keys are encrypted using
the default Java algorithm, which is PBEWithMD5AndTripleDES. The TOE does not offer any functions that will
disclose to any users a stored cryptographic key or password. See Section 2 for more information about stored keys
and passwords.
The TOE protects TSF data from disclosure and detects its modification when it is transmitted between separate
parts of the TOE through the use of TLS/HTTPS. Communication between TOE components uses HTTP over TLS
for TOE configuration, management and monitoring.
The TOE is a hardware appliance or a virtual appliance image installed on a hardware appliance that includes a
hardware-based real-time clock. The TOE’s embedded OS manages the clock and exposes administrator clock-
related functions. The clock is used for audit record time stamps, measuring session activity for termination, and for
cryptographic operations based on time/date. The TOE requires an NTP Server in the operational environment in
order to synchronize its clock with that of the external time server.
The TOE includes FIPS validated OpenSSL and RSA BSAFE and as such runs the same suite of self tests included
with these packages during initial start-up (on power on) to demonstrate the correct operation of the cryptographic
procedures of the TOE. Please see the publically available FIPS policies for OpenSSL and RSA BSAFE for more
details.
MX and Gateway software updates can be downloaded from the TOE Update Server using a secure TLS connection.
A software update installation package is hashed by Imperva using SHA-256 hash. Administrators with proper
credentials are able to download the update package and can verify the hash prior to installing the update. If the
verification fails, it is assumed that the download was corrupted and the administrator is instructed not to install the
Security Target 12 November 2015
27
package. There are no automatic installation procedures available. The TOE provides functions to query and
upgrade the TOE versions.
The Protection of the TSF function is designed to satisfy the following security functional requirements:
FPT_APW_EXT.1: The TOE does not offer any functions that will disclose to any user a plain text
password. Passwords and keys are stored in cryptographically protected form within the TOE.
FPT_ITT.1: The TOE protects TSF data from disclosure and detect its modification when it is transmitted
between separate parts of the TOE through the use of TLS/HTTPS.
FPT_SKP_EXT.1: The TOE does not offer any functions that will disclose to any users a stored
cryptographic key.
FPT_STM.1: The TOE includes its own hardware clock.
FPT_TST_EXT.1: The TOE runs the self-tests included in the FIPS validated OpenSSL and RSA BSAFE
packages to ensure that the TOE is functioning properly.
FPT_TUD_EXT.1: The TOE provides functions to query and upgrade the TOE versions. SHA-256 hash is
used to ensure the integrity of each upgrade prior to performing the upgrade.
6.7 TOE access
The TOE can be configured by an administrator to display advisory banners prior to allowing an administrator to
establish an administrative user session. The banner will be displayed when accessing the TOE locally, via SSHv2
or via the GUI.
The TOE can be configured by an administrator to set an interactive session timeout value (any integer value greater
than zero in minutes; -1 specifies a value of infinity). The default timeout is fifteen minutes for local and remote
sessions for both the CLI and GUI. A remote session that is inactive (i.e., no commands issuing from the remote
client) for the defined timeout value will be terminated. A local session that is similarly inactive for the defined
timeout period will be terminated. Should a user have their session terminated (e.g., due to inactivity), they are
required to successfully authenticate, by reentering their identity and authentication data, in order to establish a new
session.
The TOE provides functions to logout (or terminate) both local and remote user sessions as directed by the user.
The TOE access function is designed to satisfy the following security functional requirements:
FTA_SSL.3: The TOE terminates remote sessions that have been inactive for an administrator-configured
period of time.
FTA_SSL.4: The TOE provides the function to logout (or terminate) both local and remote user sessions as
directed by the user.
FTA_SSL_EXT.1: The TOE terminates local sessions that have been inactive for an administrator-
configured period of time.
FTA_TAB.1: The TOE can be configured to display administrator-defined advisory banners before
establishing an administrative user session.
6.8 Trusted path/channels
The TOE can be configured to export audit records to an external Syslog server. The TOE uses TLS to protect
communications between itself and components in the operational environment including the TOE Update Server,
Syslog and authentication servers (LDAP).
To support secure remote administration, the TOE includes implementations of TLS and SSH. An authorized
administrator can establish secure remote connections with the TOE using HTTP over TLS or SSHv2. To
successfully establish an interactive administrative session, the administrator must be able to provide acceptable user
Security Target 12 November 2015
28
credentials (e.g., user id and password), after which they will be able to access the Administrative functions. The
TOE also supports public key-based authentication for users connecting to the CLI via remote SSHv2.
The secure protocols are supported by NIST-validated cryptographic mechanisms included in the TOE
implementation.
The Trusted path/channels function is designed to satisfy the following security functional requirements:
FTP_ITC.1: The TOE can be configured to use TLS to ensure that any authentication operations, and
exported audit records, are sent only to the configured Syslog or authentication servers so they are not
subject to inappropriate disclosure or modification. TLS is also used to ensure TOE updates are transmitted
securely.
FTP_TRP.1: The TOE provides SSH and TLS/HTTPS to support secure remote administration.
Administrators can initiate a remote session that is secured (from disclosure and modification) using NIST-
validated cryptographic operations, and all remote security management functions requires the use of this
secure channel.
Security Target 12 November 2015
29
7. Protection Profile Claims
The ST conforms to the Protection Profile for Network Devices, Version 1.1, 8 June 2012 (NDPP), as amended by
Errata #3 – with the optional FPT_ITT, HTTPS and TLS requirements.
As explained in Section 3, Security Problem Definition, the Security Problem Definition of the NDPP has been
included by reference into this ST.
As explained in Section 4, Security Objectives, the Security Objectives of the NDPP have been included by
reference into this ST.
The following table identifies all the Security Functional Requirements (SFRs) in this ST. Each SFR is reproduced
from the NDPP and operations completed as appropriate.
Requirement Class Requirement Component Source
FAU: Security audit FAU_GEN.1: Audit Data Generation NDPP
FAU_GEN.2: User identity association NDPP
FAU_STG_EXT.1: External Audit Trail Storage NDPP
FCS: Cryptographic
support
FCS_CKM.1: Cryptographic Key Generation (for asymmetric keys) NDPP
FCS_CKM_EXT.4: Cryptographic Key Zeroization NDPP
FCS_COP.1(1): Cryptographic Operation (for data encryption/decryption) NDPP
FCS_COP.1(2): Cryptographic Operation (for cryptographic signature) NDPP
FCS_COP.1(3): Cryptographic Operation (for cryptographic hashing) NDPP
FCS_COP.1(4): Cryptographic Operation (for keyed-hash message
authentication)
NDPP
FCS_HTTPS_EXT.1: Extended: HTTP Security (HTTPS) NDPP
FCS_RBG_EXT.1: Extended: Cryptographic Operation (Random Bit
Generation)
NDPP
FCS_SSH_EXT.1: Explicit: SSH NDPP
FCS_TLS_EXT.1: Extended: Transport Layer Security (TLS) NDPP
FDP: User data
protection
FDP_RIP.2: Full Residual Information Protection NDPP
FIA: Identification
and authentication
FIA_PMG_EXT.1: Password Management NDPP
FIA_UAU.7: Protected Authentication Feedback NDPP
FIA_UAU_EXT.2: Extended: Password-based Authentication Mechanism NDPP
FIA_UIA_EXT.1: User Identification and Authentication NDPP
FMT_MTD.1: Management of TSF Data (for general TSF data) NDPP
FMT_SMF.1: Specification of Management Functions NDPP
FMT_SMR.2: Restrictions on Security Roles NDPP
FPT: Protection of
the TSF
FPT_SKP_EXT.1: Extended: Protection of TSF Data (for reading of all
symmetric keys)
NDPP
FPT_APW_EXT.1: Extended: Protection of Administrator Passwords NDPP
FPT_ITT.1: Basic Internal TSF Data Transfer Protection NDPP
FPT_STM.1: Reliable Time Stamps NDPP
FPT_TST_EXT.1: TSF Testing NDPP
FPT_TUD_EXT.1: Extended: Trusted Update NDPP
FTA: TOE access FTA_SSL.3: TSF-initiated Termination NDPP
FTA_SSL.4: User-initiated Termination NDPP
FTA_SSL_EXT.1: TSF-initiated Session Locking NDPP
FTA_TAB.1: Default TOE Access Banners NDPP
FTP: Trusted
path/channels
FTP_ITC.1: Trusted Channel NDPP
FTP_TRP.1: Trusted Path NDPP
Table 6 SFR Protection Profile Sources
Security Target 12 November 2015
30
8. Rationale
This security target includes by reference the NDPP Security Problem Definition, Security Objectives, and Security
Assurance Requirements. The security target makes no additions to the NDPP assumptions. NDPP security
functional requirements have been reproduced with the Protection Profile operations completed. Operations on the
security requirements follow NDPP application notes and assurance activities. Consequently, NDPP rationale
applies but is incomplete. The TOE Summary Specification rationale below serves to complete the rationale
required for the security target.
8.1 TOE Summary Specification Rationale
Each subsection in Section 6, the TOE Summary Specification, describes a security function of the TOE. Each
description is followed with rationale that indicates which requirements are satisfied by aspects of the corresponding
security function. The security functions work together to satisfy all of the security functional requirements.
Furthermore, all of the security functions are necessary in order for the TSF to provide the required security
functionality.
This Section in conjunction with Section 6, the TOE Summary Specification, provides evidence that the security
functions are suitable to meet the TOE security requirements. The collection of security functions work together to
provide all of the security requirements. The security functions described in the TOE summary specification are all
necessary for the required security functionality in the TSF. Table 7 Security Functions vs. Requirements
Mapping demonstrates the relationship between security requirements and security functions.
Security Target 12 November 2015
31
Sec
uri
ty a
ud
it
Cry
pto
gra
ph
ic s
up
po
rt
Use
r d
ata
pro
tecti
on
Iden
tifi
cati
on
an
d
au
then
tica
tio
n
Sec
uri
ty m
an
ag
emen
t
Pro
tecti
on
of
the
TS
F
TO
E a
cces
s
Tru
sted
pa
th/c
ha
nn
els
FAU_GEN.1 X
FAU_GEN.2 X
FAU_STG_EXT.1 X
FCS_CKM.1 X
FCS_CKM_EXT.4 X
FCS_COP.1(1) X
FCS_COP.1(2) X
FCS_COP.1(3) X
FCS_COP.1(4) X
FCS_HTTPS_EXT.1 X
FCS_RBG_EXT.1 X
FCS_SSH_EXT.1 X
FCS_TLS_EXT.1 X
FDP_RIP.2 X
FIA_PMG_EXT.1 X
FIA_UAU.7 X
FIA_UAU_EXT.2 X
FIA_UIA_EXT.1 X
FMT_MTD.1 X
FMT_SMF.1 X
FMT_SMR.2 X
FPT_APW_EXT.1 X
FPT_ITT.1 X
FPT_SKP_EXT.1 X
FPT_STM.1 X
FPT_TST_EXT.1 X
FPT_TUD_EXT.1 X
FTA_SSL.3 X
FTA_SSL.4 X
FTA_SSL_EXT.1 X
FTA_TAB.1 X
FTP_ITC.1 X
FTP_TRP.1 X
Table 7 Security Functions vs. Requirements Mapping